I'm trying to implement a double HA solution with WSO2AM and WSO2IS as KeyManager.
Actually I have 2 nodes, WSO2AM and WSOIS-KM is installed on each one and works perfectly. Both nodes access and write on the same database.
The issues stars when I try to acces to an application registered on store, from the other node that it was created.
I installed WSO2AM 2.6.0 and IS-KM 5.7.0 on centos environment. Both AM and IS-KS runs on the same node with por offset. I have 2 nodes configured like that.
Example of the issue:
From node 1 I access to store of node 1 and create a new app. I generate the tokens and keys without any issues. After that, I access to the store of node 2, I saw the same application, but when I try to access and view tokens it throw an exception like the OAuth token does not exists or something like that ( I forget to take a proof of that).
I understand that I have to make WSO2AM in HA but I'm not quite sure if I have to deploy WSO2IS as HA and after that convert to KM or what exactly I have to do.
Basically I want to have both roles in HA and both Stores access the same apps with the sames tokens regardless of the node that is sending the request.
You can configure both API Manager nodes (node01 & node02) with IS as Key Manager to achieve your use case.
If you are using only one IS Key manager instance and two API Manager nodes, then it is required to front both the API Manager nodes with a load balancer (HA deployment with sticky sessions enabled & datasources are shared among all the nodes) and configure the API Manager as follows
API Manager Nodes: api-manager.xml (assumption IS-KM port offset 1, therefore 9444)
<AuthManager>
<!-- Server URL of the Authentication service -->
<ServerURL>https://localhost:9444/services/</ServerURL>
...
</AuthManager>
...
<APIKeyValidator>
<!-- Server URL of the API key manager -->
<ServerURL>https://localhost:9444/services/</ServerURL>
...
</APIKeyValidator>
IS Key Manager Node: api-manager.xml
<APIGateway>
<Environments>
<Environment type="hybrid" api-console="true">
...
<!-- Server URL of the API gateway -->
<ServerURL>https://loadbalancer/services/</ServerURL>
...
</APIGateway>
Sample NGINX
upstream mgtnode {
server localhost:9443; # api manager node 01
server localhost:9443; # api manager node 02
}
server {
listen 443;
server_name mgtgw.am.wso2.com;
proxy_set_header X-Forwarded-Port 443;
...
location / {
...
proxy_pass https://mgtnode;
}
}
Related
We have installed WSO2 IS-KM version 5.7.0 and we want to integrate Multiple WSO2 API Manager version 2.6.0 with WSO2 IS-KM.
Requesting you to please suggest and share the link to configure multiple WSO2 API manager with WSO2 IS-KM version 5.7.0
Please find a simple set of configurations on setting up multiple API Manager nodes with a single IS as Key Manager. It is required to front the API Manager nodes with a load balancer (with sticky sessions enabled & data-sources are shared among all the nodes) and configure the API Manager nodes as follows
API Manager Nodes: api-manager.xml (assumption IS-KM port offset 1, therefore 9444)
<AuthManager>
<!-- Server URL of the Authentication service -->
<ServerURL>https://localhost:9444/services/</ServerURL>
...
</AuthManager>
...
<APIKeyValidator>
<!-- Server URL of the API key manager -->
<ServerURL>https://localhost:9444/services/</ServerURL>
...
</APIKeyValidator>
IS Key Manager Node: api-manager.xml
<APIGateway>
<Environments>
<Environment type="hybrid" api-console="true">
...
<!-- Server URL of the API gateway -->
<ServerURL>https://loadbalancer/services/</ServerURL>
...
</APIGateway>
Sample NGINX
upstream mgtnode {
server localhost:9443; # api manager node 01
server localhost:9443; # api manager node 02
}
server {
listen 443;
server_name mgtgw.am.wso2.com;
proxy_set_header X-Forwarded-Port 443;
...
location / {
...
proxy_pass https://mgtnode;
}
}
References
Configuring IS as Key Manager
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines).
I ensured that the "IS_HOME\repository\conf\datasources\master-datasources.xml" is configured the same way on both machines and that they are using the exact same MySQL data sources. Also I am sure that the correct database is referenced in user-mgt.xml and identity.xml.
I have two worker nodes under AWS ELB as mentioned above. When the cluster was configured the following instructions were used:
https://docs.wso2.com/display/CLUSTER44x/Clustering+Identity+Server+5.1.0
I have application which is using the clientID and clientSecret of one of the service providers. I am using the authorization_code grant type. When I try to login in my application and I am redirected to NODE1 I receive authorization code and I am trying to get access token by calling: https://URL/oauth2/token?client_id=CLIENT_ID&redirect_uri=REDIRECT_URId&client_secret=CLIENT_SECRET&grant_type=authorization_code&code=AUTH_CODE.
If this request is processed by NODE1 I receive access token and everything is fine. However if the mentioned above request is processed by NODE2, I receive the following:
{
"error": "invalid_grant",
"error_description": "Error when validating an authorization code"
}
I am able to see the generated authorization code in the IDN_OAUTH2_AUTHORIZATION_CODE table. I double checked that the machine clocks are synchronized and are using NTP, but I am not able to validate authorization code generated by NODE1 through NODE2 and vice versa.
If I am running single node configuration, no such issues is reproduced.
I am not seeing any errors in wso2carbon.log regarding this issue.
I have patch0481 applied to my system.
Could this be some sort of configuration issue? If so in which configuration files I should take a look?
Thanks in advance.
I am trying to configure the Gateway clustering(1 manager , 2 worker with Nginx).
Gateway clustering guide gave me lots of help, but not enough actually.
Some part of documents made me confused, so I'm not sure if It's heading for right way for the goal. Please check my configuration with below overview picture.
Overview image link
Nginx https.conf setting
upstream wso2.am.com {
sticky cookie JSESSIONID;
server xxx.xxx.xxx.22:9443; <!-- worker node 1 -->
server xxx.xxx.xxx.33:9443; <!-- worker node 2 -->
}
server {
listen 443;
server_name nginx.wso2.com;
location / {
...
proxy_pass http://wso2.am.com;
}
}
* Store, Publisher, Keymanager setting
each api-manager.xml file (/repository/conf/)
<APIGateway>
...
<ServerURL>https://xxx.xxx.xxx.x11:9444/services/</ServerURL>
...
<!-- Does this endpoint work? I received nothing through this setting -->
<GatewayEndpoint>http://nginx.wso2.com, https://nginx.wso2.com</GatewayEndpoint>
...
Gateway manager node setting
Especially, these below and setting is the most confusing.
carbon.xml file (/repository/conf/)
<HostName>???</HostName> <!-- should be nginx host? worker host?-->
<MgtHostName>???</MgtHostName> <!-- should be nginx host? or manager node? -->
Gateway worker nodes setting
carbon.xml file (/repository/conf/)
<HostName>???</HostName> <!-- should be nginx host? or worker node? -->
<MgtHostName>???</MgtHostName> <!-- should be nginx host? or manager node? -->
Any comments will be helpful for me.
Thanks , Regards
Pattern looks good. I would propose having separate host machines for Key manager, Gateway Manager, Publisher, and Store in a production environment. However, even though you have several components in the same machine, you should keep separate hostnames for separate components. Choose them as you preference.
E.g.
Publisher wso2.publisher-apim.com
Store wso2.store-am.com
Gateway Manager wso2.mgt-am.com
Gateway Workers wso2.am.com
Key Manager wso2.km-am.com
Then you need to configure Nginx according to that(Map worker node ips to wso2.am.com as per above definition).
Regarding the host name and mgt host name of Management node, the document you should refer is this.
E.g. according to above definitions,
<HostName>wso2.am.com</HostName>
<MgtHostName>wso2.mgt-am.com</MgtHostName>
Regarding the host name and mgt host name of Worker node, the document you should refer is this.
E.g. according to above definitions,
<HostName>wso2.am.com</HostName>
Don't uncomment MgtHostName node.
Also map the hostnames to IPs as instructed here and here. This hostname mapping is done in /etc/hosts file, and only required when a DNS service is not available.
We are trying to setup WSO2 API manager cluster with F5 as the load balancer and been having issues with having F5 in the mix. One manager instance is setup on a server (server/Admin port: node1.xyz.com:9443) with F5 (manager.xyz.com that maps to node1.xyz.com:9443).
After several trial and error methods, we found the issue to be with API key manager URL configuration in the worker instance. Using direct server/port URL (i.e. node1.xyz.com:9443) works fine. However, when we use the F5 url (i.e. manager.xyz.com) results in the exception below. Any thoughts as to what may be incorrect or missing?
Eventually we want to have two manager instances running. So, we like to get this F5 setup working such that worker instances can point to F5 instead of individual manager node.
Thanks for the help in advance!
Configuration in the Worker node that works:
<APIKeyManager>
<!--
Server URL of the API key manager
-->
<ServerURL>https://node1.xyz.com:9443${carbon.context}/services/</ServerURL>
Configuration in the Worker node that causes error with F5:
<APIKeyManager>
<!--
Server URL of the API key manager
-->
<ServerURL>https://manager.xyz.com${carbon.context}/services/</ServerURL>
Exception when using F5:
TID: [0] [AM] [2014-12-11 16:03:37,697] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler}
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
at org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftAPIDataStore.getAllURITemplates(ThriftAPIDataStore.java:99)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getAllURITemplates(APIKeyValidator.java:516)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetAPIInfo(APIKeyValidator.java:368)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.findMatchingVerb(APIKeyValidator.java:343)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getResourceAuthenticationScheme(APIKeyValidator.java:172)
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:93)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:92)
Few immediate things you could check -
Make sure the <HostName> and <MgtHostName> elements in KeyManager_HOME/repository/conf/carbon.xml are set to the hostname of the F5. ie. "manager.xyz.com"
Add the proxyPort=443 attribute to the https connector in KeyManager_HOME/repository/conf/tomcat/catalina-server.xml. Configure http connector as well if desired.
If you did not set above two settings, then the http 302 redirects fail which might explain your scenario. And, we ask users to configure ProxyPassReverse in addition to ProxyPass when using Apache HTTPD as the reverse proxy. I'm not sure the equivalent config for F5.
If the above didn't help we need to know how your deployment looks like to better help you. ie. how do you cluster the nodes. Do you have separate API gateway, keymanager instances etc.
I think it will worth your while to go through the WSO2 cluster guide to understand the clustering logic better.
With APIM, you can have separate Keymanager, API gateway (and API store, API publisher) nodes. The worker-manager separation only applies to the API Gateway. And, There is no worker-manager separation needed for the keymanager. So, you may think the all the API keymanager nodes are hybrid nodes that provide both manager and worker functionality.
We can see further if you do not have separate keymanagers.
I have the same mule webservice application with 2 different versions deployed on the same mule server. Let's call it MuleApp.1.0 and MuleApp.1.1. The flow is as simple as the example of webservice flow on mulesoft website. Their wsdl urls are different as:
http://www.myhost.com:25101/MuleApp.1.0/Service?wsdl
http://www.myhost.com:25101/MuleApp.1.1/Service?wsdl
Both of them are working as expected when the other is not deploying on the mule server. The issue happens when I having both of them deployed on the same mule server like what I used to do in WebLogic. Now I am able to access MuleApp.1.1, but when I tried to access MuleApp.1.0, I got the error as below
07-Mar-2013:14:52:57.142 VWILVM3667 [MuleApp.1.1].connector.http.mule.default.receiver.03
WARN org.mule.transport.http.HttpMessageReceiver NA
No receiver found with secondary lookup on connector: connector.http.mule.default with URI key: http://www.myhost.com:25101/MuleApp.1.0/Service
This is supposed to be a very common versionning case. What did I miss in my config?
You can't have two different applications sharing the same HTTP port in the same Mule instance.
So what probably happens is that MuleApp.1.0 doesn't deploy properly (check the logs), which is why there is no endpoint listening on /MuleApp.1.0.
Either:
Use a different port in the two apps,
Put both flows in a single app.
Create a frontal app that listens on port 25101 and both /MuleApp.1.0 and /MuleApp.1.1 paths and that dispatches requests to MuleApp.1.0 and MuleApp.1.1 on private ports (say 25102 and 25103).
I finally deployed my application on tomcat, and replaced http inbound endpoint with servlet inbound endpoint. I configure the web.xml with servlet class org.mule.transport.servlet.MuleReceiverServlet. Now I am able to deploy multiple applications on the same port.